This week on the stand is Ben Andrew, Senior Product Manager for Virtualization Security.

So Ben, care to tell us how long you’ve been with McAfee, and what you’ve been involved in?

Hi Simon – I’ve been a part of McAfee on/off for 11 years, started in Professional Services as a Senior consultant traveling across North America implementing McAfee Security solutions, mostly in Endpoint Security, ripping out competitor’s products, dealing with 911 emergency engagements where customers were wrought with infections, mass outbreaks at places like the US Mint, Ford Motor Company, American Express, etc.

I Moved into Product Management in 2007 and took over competitive analysis, writing technical white papers, best practice guides, before managing SiteAdvisor Enterprise. I moved into virtualization into 2009 and now manage the Endpoint Virtualization security solutions.

It’s the virtualization topic I especially wanted to talk to you about this week – I know you’re about to release a new version of MOVE – McAfee Optimized for Virtual Environments?

For those who don’t know anything about MOVE – is it possible to sum it up simply?

Actually, we released MOVE 2.0 a couple weeks. We offer a couple different solutions to solve the most common security issues in virtual environments… and have a lot planned as well.

Firstly we solve the problem of AV Storms – where a number of virtual machines running on the same physical box simultaneously do something like a scheduled On-Demand scan, creating a massive load on the physical host. MOVE Scheduler manages scheduled On-Demand Scan tasks by monitoring the load of the hypervisor.

Secondly we address the Density problem – making sure customers can continue to collapse their physical world onto the least number of boxes. MOVE AV offloads On-Access protection to a security VM instead of running full protection inside each guest VM.

Is the concept of AV storms a real problem for datacenter owners then?

Yes, if a security solution isn’t aware of the load of the host, scheduled scans and updates can use too many resources and overall performance can suffer dramatically, even to the point of moving workloads to other hosts (vMotion, etc.).

Do you think people are generally aware of this problem now, or is it still something that you’d have to be an expert in to really realize is going on?

Most customers are aware of this, and it ends up being one of the top reasons they come to us for help…

So perhaps you can tell us more about the new features you’ve just released – you mentioned the point of MOVE was to increase performance of the virtual servers, and also keep the density up – I guess these are things you’re still working on improving?

Yes, we made significant improvements in the shared cache in our recent release, this provides advanced “scan avoidance” – If you don’t have to scan, you don’t have to use resources… application startup times improve, etc.

We added support for Virtual Servers in 2.0 as well, which allows us to improve density, by not requiring the full AV product to run within each and every guest VM. We do this by changing the way the AV products check the validity of a file – first we check a local (in guest) cache to see if the file has previously been scanned by that guest, if not, the fingerprint is compared against the shared cache which contains the files checked by all the guests, before being scanned.

We see about 60% density improvement in this solution over traditional AV.

So can you put that in perspective for the audience? When we hear “scan avoidance” we usually equate that to a lower level of security – for people struggling to protect high density virtual environments at the moment, what’s their expectation when looking to implement something like MOVE when compared to traditional protection measures?

Sure, in most virtual environments, virtual machines are based on a common template or “gold image.” When the first VM on a host boots up, with no previous shared cache, we scan the Operating system files, any applications that are launched, and then add them to the shared cache.

Then as subsequent VMs boot, with the same operating system, the files don’t have to be scanned = scan avoidance

The ability to leverage the shared cache reduces the amount of resources required.

So no reduction in protection then?

The offloaded solution does not offer the same level of protection offered by the full VirusScan enterprise product as it only provides On-Access Scanning, because of that we recommend implementing Host IPS in guest to provide Buffer Overflow protection, and we include it in the SKU for MOVE for Virtual Desktops.

As in most dynamic VDI scenarios, Virtual Images are flushed at the end of the day, in guest on-demand scans and repair functions are not required.

So are you saying our MOVE customers can expect nearly the same performance as if they had no AV at all?

If the scan has already been performed on the file, the experience will be similar to no AV. There are of course exceptions to this, but if the environment is properly configured with appropriate exclusions, end users experience significant performance improvements.

This is especially the case where users are accessing data that is stored on a network drive… and that data is already scanned where it is stored, such as a NetApp On-Tap filer protected with McAfee VSE for NetApp on-box.

McAfee SE’s are able to provide best practice recommendations to optimize customers’ environments

Sounds like a great release Ben. And you say it’s available to customers right now?

Thanks Simon, yes the team did a great job. The release was posted on September 14th, and we have had lots of interest…

So “MOVEing” on – what’s next in your world that you can tell us about? I know the life of a Product Manager is full of secrets, but is there anything on the horizon you can tell us about?

LOL. Yeah, we have a lot coming… very cool things…

First, we are working very closely with VMware to release a version of MOVE that will have a vShield Endpoint add-on. This will provide customers with the ability to have basic AV protection enabled automatically when a VM is created.

We are also looking at the overall virtual data center to provide recommended protections at every portion

So final question for you Ben – something I always Product Managers in particular – is there anything you want to confess or apologize for? Some truly awful design decision you instigated, or a release you weren’t particularly proud of?

Yeah, we took a hard look at the way we implemented the initial architecture

of MOVE?

Yes. The solution was first developed to solve the density problem of traditional AV…yet, we found that many customers need/want in-guest memory protection, so we are improving the Buffer-Overflow protection in VSE so it can be optimized.

And you reversed that decision with the recent release?

The reasons for the improvements in the shared cache in the recent release, and also the plan for our future release also. We intend to bring full security protections in; optimizing the components that use the most resources, then sharing the components that make sense to share (like the cache) centrally.

Well thanks Ben for giving us an update on what’s happening in the virtualization space. Safe Travels!

Thanks Simon. By the way, your readers can find out more about VMWorld from their site,   http://www.vmworld.com/community/conference/europe/ and about MOVE, from the McAfee site – http://mcaf.ee/move

Let’s look at a couple of examples: In the physical world an IPS or firewall sits in-line with the network traffic and it can block malicious or inappropriate traffic. However, if you park one of these devices in front of a virtualized server it will never see the intra-VM traffic. So, if multiple Virtual Machines (VM) are communicating with each other (within the same physical server) the IPS or firewall will never see that virtualized network traffic. Now, let’s assume that one of those VMs contains credit card data. PCI DSS 11.4 says that you must use an IDS/IPS to monitor all traffic in the cardholder data environment. It seems to me that your traditional security, which relies on ports, protocols and IP addresses, isn’t going to keep you compliant. And, that brings me to my second point. In the virtual world VMs migrate to other physical machines for load balancing. How is that physical security device, which is rooted by IP addresses, going to migrate with your VM?

Fortunately, McAfee has many security solutions that work in both physical and virtual environments. They will not only keep you compliant but they will allow you to have a consistent security policy across both environments. And, those policies are all managed from one management console.

VM density is important but so is ensuring scalability and ease of management. Having the option to simplify security in virtualized environments that leverages a MOVE virtual appliance but is not necessarily ‘virtual machine aware’ allows for security support of not only VMware but also Citrix and Microsoft virtualized environments. One of the potential problems with all of the moving parts of virtualization is the potential to introduce failure.  The agent-less approach to AV scanning still requires the filter driver of VMware vShield in the individual VMs to be ‘virtual machine aware’ but what happens when vShield has problems, as any newly introduced software might encounter (http://mcaf.ee/a409b) as recently reported by searchservervirtualization.com?

Find out for yourself using your workload and user situations and your environment to find out the best VM density. McAfee MOVE AV for VDI has been available since October 2010. Although there is no downloadable trial available, any McAfee Sales Representative can coordinate a proof of concept to have this tested in your environment. More information can also be found at www.mcafee.com/virtualization. Another hint, ask about security management, scalability and resource requirements of the virtual appliances before making a decision solely on achieved VM density.

90% of enterprises are earnestly considering client virtualization, most of them within the next 12 to 24 months, according to a CDW survey reported by Network Computing. But this survey also points out that 61% have an expectation that client virtualization will decrease IT costs. When I’ve talked to customers and partners about the return on investment and cost models there is no one way to measure or state benefits at this point in time. It’s a scalability issue for the most part, I believe most organizations can identify discrete workgroups that can benefit from a form of virtual desktop or even full client virtualization with vdi. The additional cost of introducing another way of offering IT to the end-user that is different from their current model, in addition to the infrastructure expenses for the small pilots or deployments is challenging. But this is not just about technology and determining cost savings it’s also about changing or transforming almost every function in IT and that requires caution. In a few situations I’ve seen traditional endpoint administrators not even aware of a virtualization project underway in their organizations. This behind closed doors evaluation and calculations can be detrimental.

I like the outcome and approach from another panel of experts meeting on VDI, and summarized by David Vellant on a Wikibon entry (registration required), “in order to become more of a strategic initiative, the notion of virtual desktop needs to evolve from a device-centric mentality to a data- and application-centric view”. When this happens return on investment measures can include estimated increase in end-user productivity, or stronger business continuity controls, increased compliance with decreased liability and improved security and better business applications. Since ‘app’ was declared the word of the year for 2010 there might be something to this concept.

One of the exciting elements of this technology is breaking out of the ‘one size fits all’ model to delivering true customized workflows.  As consumers we are already primed with customized and highly available experiences from app stores, mobile payment and rewards cards, members only limited time sales and discounts, and ability to create feeds of information based on our preferences and history.  All of these scream personalization, something large organizations historically have not been good at. 

Since the time of Henry Ford, factory mentality has prevailed with a few exceptions for executives or limited classification based on business unit.  But future thinking organizations are looking at micro groups that can immediately benefit from virtual desktops. They are embracing the fact that the most valuable asset, and also risk, to the organization is the knowledge worker and are starting to roll-out services and systems that align to their consumer experience and facilitating a more flexible work style. By the way when technology-savy employees are enabled according to an iPass survey they work up to 240 hours more a year. (http://mcaf.ee/49ba7 ).

How should security change? Security can be traditionally measured by the number of threats blocked and days without compromise. This is valuable but many of the issues around security today also need to be driven around policy and acceptable use.  Security policy management needs to be flexible and easy to manage to make this successful for enterprises. Unfortunately security and policy management many times is as an afterthought to the design and business requirements. 

So you’re thinking of supporting ipads in your organization? What kind of security policy setting is possible? You can deny access to corporate network if the device has been jail broken and you can implement a set of enterprise recommended applications now available with McAfee Enterprise Mobility Manager. If your implementing vdi to an ipad or tablet, say with Citrix XenDesktop, you can ensure virus protection of the vdi workflow with McAfee MOVE AV for VDI, setting the AV security policy per vdi or specific work group. But for enterprises having the ease of management to set these policies and report on compliance is what should matter. You can now report on the device compliance; what applications are installed and issues that make it out of compliance, and also report on the vdi workflow security compliance and virus scanning results.

There are many options and personalization and consumerization can overwhelm an enterprise with complexity. But for an additional six week of potential work or ability to enable business even when Mother Nature wants to declare a snow day is the opportunity for IT.